Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

New submitter uCallHimDrJ0NES writes "Security researcher Mark Gamache has used Moxie Marlinspike's Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It's been going on for a long time, probably, but this is the first time a 'white hat' has researched and exposed the how-to details for us all to enjoy. 'You might think that with all the papers and presentations, no one would be using NTLM...or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!' Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!"

OK, I did the unthinkable and skimmed the actual article, but I still have no idea what NTLM does, why it was chosen for whatever task it does, or what the potential repercussions are now that it's broken. Even the "Reminder About the Downside of Doing Nothing" section, which I hoped would explain exactly what an attacker could do, was light on details. Something about sending passwords to a remote machine?

I distinctly remember using NTLMv2 in both NT 4.0 and Win2K, for a product I was developing for those platforms. NTLMv2 was an option. You could also choose whether the negotiation could downgrade to NTLM if the other side didn't support NTLMv2, or if the negotiation would insist on NTLMv2. But NTLMv2 didn't become the default until Vista -- the first version of Windows that strongly emphasized security.

If you have a web proxy (e.g. squid) with user authentification, you probably are also using NTLM for sending hashed one-time passwords. The only other alternative is Digest authentication, which only few client programs support. The NTLM version used depends on the client machine.

Squid works fine with Kerberos and AD authentication. And since Vista and Windows 7 are a pain to setup Proxy authentication on Squid ntlm_auth most people should be using Kerberos or digest right now.

What caused the issue?Until January 2000, export restrictions limited the maximum key length for cryptographic protocols. The LM and NTLM authentication protocols were both developed before January 2000 and therefore were subject to these restrictions. When Windows XP was released, it was configured to ensure backward-compatibility with authentication environments designed for Windows 2000 and earlier.

This is the name for Microsoft's 2nd generation authentication protocol - for issuing challenges and responses related to encrypted passwords as a shared secret. The passwords are hashed with a salt, and the value compared with the known password, by the authentication service. This is a variant introduced by Windows NT on the LAN Manger scheme - cooked up in the remote past by MS and IBM, based on Ungerman-Bass software.

The attacker only gets the password, however the password is never directly used, it is always converted to the hash.The hash is essentially the real password, and for injection attacks is more useful than the password as it saves you from converting the password to the hash.

XP and 2000 can be made to use NTLMv2 but you have to either use Group Policy or set it in Local Security Policy. I don't know/why/ Microsoft didn't make it default to at least use v2 if both ends agreed, but they wouldn't have forced it on because of back compatibility with NT4 domains.

The first paragraph on Wikipedia is excellent: http://en.wikipedia.org/wiki/NTLM [wikipedia.org]
Also important to note this is only referring to NTLMv1 which is hella old. Also just because you are running Windows XP still doesn't mean you are using NTLMv1. It's a bit more complex than that.

I read SlashDot because it is an important and timely source of technical news. But all too often articles are incomprehensible (without research) to readers outside some particular narrow discipline. Writing a lead in to an article is a skill that requires more than technical knowledge -- it requires knowledge (and some assumptions) about the experience of the intended readership. Like several oth

As a working reporter/writer for two decades, I offer some other tips:

Each sentence should be less important than the one before it. This is called pyramiding in the trade; it allows the reader to quit once he/she understands enough, or for an editor to cut from the bottom.

Never use a big word when a small, familiar one will do.

Keep sentences to less than thirty words, if at all possible. This is mandatory for the lead (first sentence.)

Pah. You should have left it at 4 points.Do paragraphing not often, but only as often as makes sense. One-sentence paragraphs are for those with grade 2 reading and writing level.

See Anna Merkin.

See Anna Merkin paragraph.

Paragraph, Anna Merkin, paragraph.

And commit Strunk and White to the *bin*, not to memory. See the many comments by Pullum on Language Log and elsewhere, for example, for reasons why. Pay special attention to the fact that White apparently doesn't even know what the passive voice is before

I have a friend who is a retired newspaper journalist. I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?

This will remain irrelevant until the editors do some editing rather than accepting article submissions that are no more than the output of a script that scrapes an RSS feed.

I wonder if I could interest him in devising some guidelines for ShashDot postings that even amateurs could apply with some improvement to the quality of their posts. Anyone enthusiastic about this?

Not in the slightest. I am, in fact, enthusiastically unenthusiastic about bringing the assumption that your reader needs all the 'the five Ws' answered or technical background spoon-fed to him onto the web.

Newspaper style guides were written for a time when a person who didn't understand the technical background had to pedal down to the library and find a book on the subject, read it, and come back to finish the story days or weeks later. It was better to give them a layman's understanding of the science

I'd say this affects Linux too - a bunch of machines with Samba are quite possibly vulnerable, and need a different settings change than what Windows does.At a minimum, the following in the smb.conf[global]
client ntlmv2 auth = yes
lanman auth = no
ntlm auth = no

This is one of the worst summaries I have ever read here. I can easily imagine the joy in the submitter as they are dancing to their own over the top writing style. NTLM is 100% broken. Oh no! Microsoft stopped recommending it and switched to Kerberos starting with Windows 2000. Who the hell cares that someone broke a protocol from 10+ years ago? If anything, it makes NTLM look really good. What sensationalist trash this is.

So... everyone joined to ActiveDirectory then eh? Its been known that NTLM hashes could be reused for years.

And for the record, my Samba servers have been using kerberos for years, not sure why yours aren't. Shitty admin perhaps? Must be as the previous stated reason is what causes a clueful admin to move to kerberos back in 2001 when XP made it possible to use network wide.

When you start mixing unix and windows servers on a domain you pretty much start off by switching everything to kerberos so everyt

"This summary is terrible"...Agree... this is being overblown. Any competent admin of a network of any size already followed guidelines issued nearly a decade ago to start forcing NTLMv2 only unless there was some very specific reason not too. Back in say 2004 time frame there were reasons, by 2008 there really was no excuse. Even if someone missed it it's a simple GPO change and refresh to mitigate as already pointed out throughout the thread. Yawn.

The crucial detail is whether the physical layer of the network can be trusted. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.

Many modern networks, including wireless networks, have a non-trust worthy physical layer. In this case, only end-to-end encryption protects the network. Yes, the newer versions NTLM protect against the most obvious password scanning attacks. However, with a non-trust worthy physical layer, it is possible to simply scan all the network traffic and get the file contents from the network directly. Also, some (almost all?) ODBC and database servers send passwords in the clear. This makes it straightforward to do simple network traffic analysis attacks, and directly gather valuable information from the company network.

The bottom line is that only protocols like SSH work against a non-trustworthy physical layer.

. If the physical layer is trusted, then NTLM works fine. Historically, lots of corporate networks controlled every computer on the office network, and air-gapped the internet.

To what extent did they control them though? The bigger a network gets the more chance of a rouge device getting on it either through compromise of a machine that was legitimately there or through introducing a machine illegitimately.

To acheive any kind of security with Windows NT 3.5/4.0, you really need to control the physical layer thoroughly. Any device on the network is a potential source for untrusted code. Once you had untrusted code running on the computer, the network was compromised.

With Windows XP and Windows 7, it's pretty much impossible to lock down the computers. The security certifications that Microsoft had for Windows NT 4.0 no longer exist.

The only current desktop operating system technology that is equivalent t

I'm not sure what you mean with XP and 7 (and I assume Vista). Those are client systems. No, they don't offer Kerberos services. You need the server product. As client systems, they are far superior to NT 3.x and 4.0. Your "impossible to lock down" statement is just a setup for Linux fanboyism.

Also, some (almost all?) ODBC and database servers send passwords in the clear.

Many database servers allow encrypted passwords, but there are surely a lot of database installations that don't take advantage of it. In PostgreSQL you can use SSL for the client network connection [postgresql.org], which ODBC passes through. Setup SSL as the only way to connect, and encryption has to happen before it hits the wire. MySQL has a similar trick [mysql.com]. Both are just using the OpenSSL library under the hood to encrypt the network traffic.

On the commercial side, Oracle does the same thing with ORA_ENCRYPT_LOGIN [oracle.com]. SQL Server has client and server settings [microsoft.com] that enforce encryption. Basically, if your database traffic isn't encrypted, it's more likely because someone didn't think that was important than because it was impossible. It's a simple checkbox to add to database selection requirements, and it's not hard to find a DBMS that has the capability.

I find people who just stuff user passwords into the database (which can be the same passwords as other services) rather than putting password encryption into their application can also leak data. In PostgreSQL using the built-in pgcrypto [postgresql.org] makes that easy. You also have to be careful to use the same network encryption approach for any replication client, or it's possible to just sniff that instead to get the data. In Postgres those connect with the same encryption possible options as any other client. Most of the tutorials on setting up replication don't cover this though.

The crucial detail is whether the physical layer of the network can be trusted

Someone maintains that physical layer. Even if they are employees of the company, it doesn't follow that they can be trusted. Someone with access to the physical layer and an NTLM hack could "become" anyone else on the network and do whatever he wanted with little fear of getting caught.

Put another way, If everyone that was employed by the company could be trusted, they could all share the same login with unlimited access. If that makes you cringe, then so should NTLM. I think that's the point of the ar

Although GP is flamebait at best.. Because when LM and original NTLM were created it was an issue, and in 2003 compatibility was an issue, is why it is still around.

That said, I will say that for most people's needs there are plenty of adequate solutions. I find that LibreOffice(and OOo) do a decent job. PostgreSQL in many ways exceeds what MS-SQL does, and there are some decent integrated mail/calendar servers... I do think that Exchange is to this day best in it's class, and there are some features o

Microsoft tried to steer the market away from TCP/IP. It took them ages to get proper TCP/IP support, and when they did, they stole most of it from BSD (this was proven in the famous windows 2k code leak). They hate standards because it makes it harder to lock in their customers. NTLM is nothing but crapware designed to lock-in people. Really, explain WHAT exactly is it that NTLM solves/fixes, now or 10 years ago?

NTLM is a bit more than 10 years old... Hell v2 which addressed most of the OP issues is older than that. LM was created in the late 80s iirc. As for the BSD code in the NT network stack, that had been known for long before the code leak... It's been noted in license documents for over a decade. Why because BSD coffee is allowed in closed source programs. The post I referred to is flame bait because it is... Your post wasn't about truth, it's about hate. I don't love Microsoft, but I certainly don't hat

Even on a machine without AD, you can at least use Local Security Policy to access the setting in the Network Security category. Why they tell you to hack the registry, I don't know. While you're there, you should also enable "Do not store LAN Manager hash" and "Do not allow anonymous enumeration of SAM accounts and shares" (the latter only if you have no NT 4 domains or NT/9x clients).

By default, XP allows inbound NTLMv2 authentication from remote clients but does not use it outbound to authenticate to remote servers. The same setting that makes XP refuse LM/NTLM also enables outbound NTLMv2.

Yes, I worked in corporate I.T. before and know all the tired arguments. The OS will turn 13 years old later this year. 13 years?!

Not to mention XP SP 3 after 800 or so updates is slower and not the speed daemon it once was as 9 out of 10 CPU cycles are work around exploits. Stop defining yourselves and your ego on an OS made by the same people who wrote IE 6?

The idea for security in XP is from the last century where all you needed is a good password. It lacks things a modern internet enabled OS have today. It is not a trendmill at this point nor is MS being evil to the mean old beancounters who refuse to see hidden costs and just licensing on a spreadsheet in excel. This story, the one on IE 6-8 being vulnerably last week on slashdot, and many others stating XP is so primptive because it doesn't have protected mode, ASLR, are DEP fully (only a few things have that on XP).

If you ask this because your IT department has no plans to upgrade then another job who treat your profession and seriousness with respect.. They are incompetent and when shit hits the fan and social security numbers are stolen you will get the blame as the cost center and be let go anyway.

It is obvious with the latest security issues in IE6, IE 7-8 (in non protected mode), XP, and now this that it is time to let it go instead of workaround it. Investing time and money into it is like investing cash into a car with 200,000 miles.

These costs are real and so are the liabilities. Grow a pair and sell yourself the cheap asshats at your company? You are not saving anything by keeping an outdated insecure infrastructure and it is not unreasonable to upgrade to a 3 year old OS.

Yes it is more bloated now than the initial release and slower as a result, not helped by all the stuff installed on it now which uses more CPU than an equivalent program would have used 15 years ago, plus your AV program probably is checking every file/web access (but not Windows itself). But...

It isn't consuming most of its time actively running additional code to prevent exploits. Almost every exploit is corrected by correcting the original code to fix the bug that allows a buffer/integer overflow etc

you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad. The problem with that claim is that it is patently false as is obvious not only to anyone with a clue about CPUs, application execution, or anything related -- but even to anyone who gives it a passing thought (for one, your assertion implies 1/10 the performan

"The claim that "security in XP is from the last century where all you needed is a good password" also shows your utter and complete ignorance of XP and security architectures"

Right, you mean how in XP there is an IMPERSONATION SERVICE where a user mode program can run with kernel mode priveldges and impersonate a critical service?!

No ASLR, limited DEP, no priveldge seperation in the code. Yeah, XP is last century security wise which is fine as other operating systems from the 20th century lacked those as well.

"you may have worked in corporate IT but you have no clue. What is your source for wild ass claims like "9 out of 10 CPU cycles are work around exploits"? Oh, right, you pulled that out of your ass -- an invented statistic to try and make XP look bad"

Yeah, I am making it look bad because in 2013 it is bad. You are telling me after 1,000+ exploits there is no performance penalty or advanced filtering for every input and i/o after 12 years? THe fact of the matter is XP ran good on 128 megs of ram on a Pentium II 300 mhz in 2001. Why can't I run it like this. The answer is because of +700 patches.

I look at XP like a boat with holes all over encased with 3 feet of bandaids. I have not looked at hte source code and neither have you. I do not have to rely on fake statistics. Look at the evidence of it today? I can not see how it is possible to fix all the exploits without breaking apps.

My only explanaition is double the code size and filtering out every i/o and input due to the architecture not being able to withstand the malware we have today. NTLM is yet another example, while IE 6 - 8 while still being patched is not being hacked as I typed this because it can not run in protected mode in XP.

XP never once ran good on 128mb's of ram. Window 98 maybe, but not 2000 or XP. 512MB minimum for solid performance.

No ASLR, limited DEP, no priveldge seperation in the code. Yeah, XP is last century security wise which is fine as other operating systems from the 20th century lacked those as well.

ASLR was first implemented in July 2001, as part of the pax patch for linux... So it's about as old as XP.The idea of DEP was partially implemented much earlier, SunOS 4.x and Digital Unix 3.x had non executable stack areas, Linux had a patch to implement such too, it wasn't until much later that AMD implemented direct hardware support for non executable pages on x86, but it was effectively emulated in software long before that.

The idea of layers of filtering slowing down XP is ridiculous, that would be suc

It is not a trendmill at this point nor is MS being evil to the mean old beancounters who refuse to see hidden costs and just licensing on a spreadsheet in excel. This story, the one on IE 6-8 being vulnerably last week on slashdot, and many others stating XP is so primptive because it doesn't have protected mode, ASLR, are DEP fully (only a few things have that on XP).

You worked in corp IT and you think it is as easy as flipping a switch to make the change? Unlike the home enthusiast who doesn't mind learning the in/outs of a new OS many corporate users are task focused. The computer is a tool the same as a phone. For better/worse those users have no more interest in how the computer works than I have in the innards of my car's manual transmission. As long as it works I'm happy. If it doesn't I see an expert. You may consider the change from Win XP to Win 7 to be minor but for millions of corporate users any change can be huge and require training which is a double whammie of cost and lost productivity time. From a TCO perspective it is much cheaper to patch and manage than upgrade. The benefits of Win 7 are intangible to the end corporate users.

13 years is not the same timeframe as flipping a switch. From a TCO being hacked is very high as well as all sorts of security issues and not being able to log onto vendor/client portals, not being able to read Photoshop, autocad, and office 2013 files from users and other vendors, suppliers, and customers. XP already is getting more expensive to maintain than to keep current and it will get worse and worse.

As an IT professional it is your responsibility to keep your infrastructure secure and up to date. If

If you set ntlm auth = no, then Samba will reject plain NTLM and require either NTLM v2 (the normal case) or LANMAN (if you have bizzarely backdated your XP box). There is a risk that some software w2ill fail, so it's probably best if you create a pair of virtual servers, and set one up to use NTLMv2. As you find out what fails, you can move the unbroken services to the v2 server.

Somebody needs to get with the last decade since MSFT made Kerberos [wikipedia.org] the preferred authentication method waaaaay back in Win2K, so if you are still using NTLM for authentication after it has been depreciated for 13 years? I'd say you have bigger problems than NTLM being hacked.

I already replied to someone saying the best way to harden XP is called Windows 7.

I do not understand the strange obsession of keeping XP. Does it save money. No.

Geeks with aspergers lack the social skills to grow a pair and tell the cost accountants they are morons as if these companies who handle customer social security numbers, credit numbers, and other things with their billing department are ripe pickings with XP.

XP has been proven time and time again to be old, insecure, and has security features from a different era. It comes with IE 6. I mean did MS really make it that secure? Oh it is password protected. THat is good enough... check.

IE 6 - 8 are being exploited right now under XP because it lacks protected mode and even the Mr. Fixit from that exploit has already been circumvented. But those on XP claim they are saving money and how great and secure their OS is that wont listen. Just because it runs on machines with 256 megs of ram doesn't mean it is supperiorly coded and of high quality. THe misinformation many supposedly IT professionals are astounding.

I should start bookmarking these so when someone mods me down and says how great XP is and why change to an inferior bloated OS like win 7 I can cite this and the IE 6 -8 hole links?

of course, anyone taking your advice has their head screwed on wrong. Maybe your going about your advice wrong. First, try to learn something about the topic on which you want to give advice. Second, don't insult the people you are talking to at every turn. You really like the phrase "grow a pair", for example. Grow up.

Of course, the same criticism could be leveled at this post. Except I'm not trying to give you advice, just pointing out why your "sage advice" is falling on deaf ears.

Another thing about XP - any computer purchased in the past ~3 years is going to come with Windows 7. You can get Core i5 Lenovo laptops with 8gb ram for ~$600-$700. Yes, it costs money, but if your org is running computers from 2005, it's probably worth upgrading anyway, unless you have a valid reason for sticking with XP (e.g. your users run software that requires XP and won't run on Win7).

At my last job, cost was one of the barriers to upgrading to Win7. But we pitched it as a hardware upgrade - movin

Actually its worse than that Billy as XP still has the old WinNT 4 memory manager which frankly was designed in an era when memory was worth its weight in gold so it'll pimpslap the living hell out of swap LONG before you've even used half the RAM in the system. So in actuality you aren't saving any memory, you are just swapping more. Compare this to Win 7 where I have 500MB of my 8GB free right now, am I running something intensive? Nope its merely caching all my most used programs and Windows features so

Companies have lots and lots of very poorly written software which was designed to run on XP, and doesn't work (the same) on anything else. The reasons why it doesn't work are varied, some just refuses to run when it detects a version it doesn't recognise while others depend on the weaker security model of XP or other such things, while some software mostly works but some features are broken or behave differently.

The cost of testing all this software, and replacing what doesn't work is HUGE both in terms of money and man hours.

Eventually the cost of cleaning up the messes script kiddies make every time they pwn one of your XP machines (and lost business that comes with constantly sending out those "sorry, our security sucks, and now your name, password, credit card numbers, and social security number are on pastebin." messages to customers) will be HUGE-er.

Riiight, Linux is gonna save you money long term....how exactly? Lets look at the OS breaking moves just in the past 5 years, ALSA for a broken Pulse, KDE 3 and Gnome 2 just getting really good and stable....only to get shitcanned for alpha quality replacements, oh and lets not forget all the kernel twiddling by Linus "I'm an arrogant ass" Torvalds and the entire WiFi subsystem getting a serious rewrite that broke as much as it fixed. Quick, what do BSD, OSX,iOS,Windows,Solaris and even OS/2 have in common